From f90c4bd6a1482a4fe4227fecda5afc91ffdf2051 Mon Sep 17 00:00:00 2001 From: Penar Musaraj Date: Mon, 7 Jun 2021 14:59:15 -0400 Subject: [PATCH] DEV: Allow plugins to extend frame-ancestors (#13316) --- lib/content_security_policy/builder.rb | 2 +- spec/fixtures/plugins/csp_extension/plugin.rb | 3 +- spec/lib/content_security_policy_spec.rb | 53 +++++++++++++------ 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/lib/content_security_policy/builder.rb b/lib/content_security_policy/builder.rb index e59e8e2ecd9..fe2e830ba1a 100644 --- a/lib/content_security_policy/builder.rb +++ b/lib/content_security_policy/builder.rb @@ -5,6 +5,7 @@ class ContentSecurityPolicy class Builder EXTENDABLE_DIRECTIVES = %i[ base_uri + frame_ancestors object_src script_src worker_src @@ -16,7 +17,6 @@ class ContentSecurityPolicy default_src font_src form_action - frame_ancestors frame_src img_src manifest_src diff --git a/spec/fixtures/plugins/csp_extension/plugin.rb b/spec/fixtures/plugins/csp_extension/plugin.rb index cfab239dd33..364dd10361d 100644 --- a/spec/fixtures/plugins/csp_extension/plugin.rb +++ b/spec/fixtures/plugins/csp_extension/plugin.rb @@ -7,5 +7,6 @@ extend_content_security_policy( script_src: ['https://from-plugin.com'], - object_src: ['https://test-stripping.com'] + object_src: ['https://test-stripping.com'], + frame_ancestors: ['https://frame-ancestors-plugin.ext'] ) diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb index 5d4e0daafa5..73192cda2d9 100644 --- a/spec/lib/content_security_policy_spec.rb +++ b/spec/lib/content_security_policy_spec.rb @@ -188,26 +188,49 @@ describe ContentSecurityPolicy do end end - it 'can be extended by plugins' do - plugin = Class.new(Plugin::Instance) do - attr_accessor :enabled - def enabled? - @enabled + context 'with a plugin' do + let(:plugin_class) do + Class.new(Plugin::Instance) do + attr_accessor :enabled + def enabled? + @enabled + end end - end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb") + end - plugin.activate! - Discourse.plugins << plugin + it 'can extend script-src and object-src' do + plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb") - plugin.enabled = true - expect(parse(policy)['script-src']).to include('https://from-plugin.com') - expect(parse(policy)['object-src']).to include('https://test-stripping.com') - expect(parse(policy)['object-src']).to_not include("'none'") + plugin.activate! + Discourse.plugins << plugin - plugin.enabled = false - expect(parse(policy)['script-src']).to_not include('https://from-plugin.com') + plugin.enabled = true + expect(parse(policy)['script-src']).to include('https://from-plugin.com') + expect(parse(policy)['object-src']).to include('https://test-stripping.com') + expect(parse(policy)['object-src']).to_not include("'none'") - Discourse.plugins.pop + plugin.enabled = false + expect(parse(policy)['script-src']).to_not include('https://from-plugin.com') + + Discourse.plugins.delete plugin + end + + it 'can extend frame_ancestors' do + SiteSetting.content_security_policy_frame_ancestors = true + plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb") + + plugin.activate! + Discourse.plugins << plugin + + plugin.enabled = true + expect(parse(policy)['frame-ancestors']).to include("'self'") + expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext') + + plugin.enabled = false + expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext') + + Discourse.plugins.delete plugin + end end it 'only includes unsafe-inline for qunit paths' do